OSFI provides timely guidance for dealing with cyber security threats and incidents

With Cyber Security Awareness Month just around the corner, it’s time to look critically at your business’ technology and cyber security plans. Increasingly, we hear about significant data breaches resulting in the loss of critical business functions. These breaches can lead to reduced customer trust, economic fallout – or worse.

Each year approximately one-fifth of the overall Canadian business population reports being impacted by cyber security incidents[1]. The scope of the problem is vast. Canadian businesses report spending approximately $7 billion directly on measures to prevent, detect, and recover from cyber security incidents yearly[2].

A strong tech and cyber security plan starts from the top with clear, direct instructions, and policies and resources readily available before an incident occurs. Despite this, only a fifth of businesses in Canada report having written policies in place to manage cyber security risks or report cyber security threats.

Is your business prepared to deal with the ever-changing threats in a digital world?

The first step is to have plans and policies in place before an event occurs. Last month, the Office of the Superintendent of Financial Institutions (OSFI) issued a new advisory on Technology and Cyber Security Incident Reporting. While the OSFI advisory is intended to provide guidance to federally regulated financial institutions, it is helpful for businesses in other industries as a model for best practices when it comes to tech and cyber security. The advisory provides guidance that businesses can use to manage cyber risks and effectively respond to cyber incidents when they do occur.

So, what is a tech and cyber security incident?

These can be any incident that has an impact, or the potential to have an impact, on the operations of your business, including its confidentiality, integrity, or the availability of its systems and information.

Businesses should develop tech and cyber security frameworks and train relevant personnel about the implementation of their framework. These frameworks should include written policies and procedures that outline potential incidents and assign designated personnel responsible for the investigation, assessment, and response.

Businesses’ tech and cyber security frameworks should address all applicable legal requirements and be consistent with regulatory guidance and best practices. Any person responsible for implementing the framework should be appropriately trained, and response decisions should be appropriately documented and reported, as necessary.

Additionally, businesses should also be aware of any contracts they have with third-party service providers and ensure that these contracts contain appropriate provisions that support the organization’s tech and cyber security framework. For instance, third-party contracts can contain provisions requiring the service provider to: promptly notify the business of all tech and cyber security incidents and provide information about each incident; to have mitigation strategies in place; or to carry insurance policies that cover cyber security losses.

Lastly, businesses should remain mindful of any obligations to report, notify or disclose incidents that apply to their industry and any additional obligations they may have stemming from privacy, contract, and common or civil law.

What does this mean for my business/organization?

Being ‘on top’ of the types of things dealt with in the OSFI advisory will put your business in good stead should you experience a tech and cyber security incident. Timing will be crucial. Businesses dealing with these incidents, with no plan in place, are at a major disadvantage; they will always be playing ‘catch up’ to the incident. And that will likely translate into a variety of increased costs, both economic and otherwise.

If you would like help navigating your tech and cyber security obligations in a proactive manner, developing a tech and cyber security framework, responding to incidents, or have general questions, we would be pleased to assist.

[1] Statistics Canada, The Daily, Tuesday, October 20, 2020.
[2] Ibid.

Prepared by:

Adam Herstein

Adam Herstein
[email protected]


Cora Eaton

Cora Eaton
[email protected]